DNSCrypt / DNSCurve

platten · January 16, 2016, 7:47pm

I understand that you plan on supporting DNSSEC out of the box, but is there any chance that you are considering adding support for DNSCrypt or DNSCurve?

JohnnyCalavera · October 10, 2016, 12:25pm

Still no information about this?

Did anyone try to implement this feature as explained here:
https://wiki.openwrt.org/inbox/dnscrypt

bortzmeyer · October 15, 2016, 3:31pm

My personal opinion is that it’s not useful. I would prefer to have the standard DNS-over-TLS (RFC 7858) .

And a public resolver running DNS-over-TLS at turris.cz would be nice, too (and a pony, please )

turrios · October 20, 2016, 9:01pm

I have managed to install dnscrypt. It’s easy:

install it & dnsmasq full
Disable resolver service (luci)
Configure dnsmasq, make it listen to port 53

config dnsmasq
option domainneeded '1'
option boguspriv '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
# option resolvfile '/tmp/resolv.conf.auto'
option localservice '1'
# option port '0'
option nonwildcard '0'
list server '127.0.0.1#5053'
option dnssec '1'
# option dnsseccheckunsigned '1'

oerdnj · March 20, 2017, 12:32pm

Stéphane, CZ.NIC plan to provide a public DNS-over-TLS service as soon there’s support for client DNS-over-TLS in kresd (that’s planned to happen this year).

platten · July 17, 2017, 3:32pm

Are there any updates on this? According to https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Implementation+Status knot already has all the components besides “TLS DNSSEC Chain Extension”.

A little bit of background: my ISP intercepts all DNS traffic and tampers with resolution. I would prefer to address this problem without adding DNSCurve/DNSCrypt which is not supported (or going over a VPN and paying the performance penalty).

Great work!

vcunat · July 17, 2017, 6:25pm

There is still support in kresd for DNS over TLS on client side only ATM. (EDIT: by that I mean kresd can serve TLS but not forward over TLS yet.) CZ.NIC doesn’t provide TLS on the public service yet (easy to try).

Plans tend to change, depending on priorities. Honestly, it seems well possible that the server-side TLS support might not land this year. (I personally have no idea about plans for the public service, unfortunately.)

platten · July 24, 2017, 12:17pm

Is it possible to have my own resolver running on another externally hosted VPS and have kresd be a client (with caching) to that resolver? Please advise.

vcunat · July 24, 2017, 12:43pm

Caching when forwarding is only done with kresd >= 1.3.0, and that’s not yet contained in current stable or RC Omnia. The STUB and FORWARD policies are described in kresd docs.